This is the HashiCorp demo application on Amazon EKS. It incorporates the following tools:

• Terraform
• Waypoint
• HCP Consul
• HCP Vault
• Boundary

1. Terraform Cloud as Backend, state only (or reconfigure terraform directive in providers.tf)
2. AWS Account
3. HCP Consul (already set up with HVN + Cluster) - you will need the client_config.json and ca.pem copied to the secrets folder.
   1. You will need the public URL set as export CONSUL_HTTP_ADDR=<HCP Consul public URL>.
   2. You will need the bootstrap token set as export CONSUL_HTTP_TOKEN=<bootstrap token>.
4. HCP Vault (already set up with HVN + Cluster)
   1. You will need the private URL set as export VAULT_ADDR=<HCP Vault public URL>.
   2. You will need the namespace set as export VAULT_NAMESPACE=admin.
   3. HCP Vault admin token, set as export VAULT_TOKEN=<Vault token>.
5. jq installed
6. Install HashiCorp Boundary and an SSH key to ~/projects/boundary.
   1. Download Boundary to ~/projects/boundary/bin.

      mkdir -p ~/projects/boundary/bin
      cd ~/projects/boundary/bin
      wget https://releases.hashicorp.com/boundary/0.1.1/boundary_0.1.1_linux_amd64.zip -O boundary.zip
      unzip boundary.zip
      rm boundary.zip

   2. Add an SSH key named id_rsa to ~/projects/boundary.

1. Add the Consul and Vault addresses to terraform.tfvars.

   name                                     = "hcp-demo"
   peering_connection_has_been_added_to_hvn = false
   hcp_vault_private_addr                   = ${HCP_VAULT_PRIVATE_ADDRESS}
   hcp_consul_host                          = ${HCP_CONSUL_PRIVATE_ADDRESS}

2. Run make setup and enter yes to create the EKS cluster, VPC, and Boundary.

3. Set up the peering connection in HVN (do not accept, this configuration will do it for you).

4. In terraform.tfvars, set peering_connection_has_been_added_to_hvn to true. This executes the HVN/HCP module to accept the peering connection and add the security groups for HCP Consul.

   name                                     = "hcp-demo"
   peering_connection_has_been_added_to_hvn = true
   hcp_vault_private_addr                   = ${HCP_VAULT_PRIVATE_ADDRESS}
   hcp_consul_host                          = ${HCP_CONSUL_PRIVATE_ADDRESS}

5. Run make setup and enter yes to configure the HVN peering connection.

6. Run make configure-consul to install the Consul Helm chart to your EKS cluster.

7. Run make configure-vault to install the Vault Helm chart to your EKS cluster.

8. Run make configure-waypoint to install the Waypoint server to your EKS cluster.

9. Run make configure-boundary to configure the Boundary deployment.

10. Run make configure-consul-intentions to set up Consul intentions and allow traffic between services.

Using Boundary, you can audit and control the SSH sessions to the Kubernetes nodes.

1. Run make ssh. This will authenticate to Boundary and start an SSH session with the EKS nodes.

2. Go to the Boundary UI and examine the "Sessions".

The demo application for a coffee shop uses four services: a frontend, a public API, a products API for a database, and a database.

1. Run waypoint init to create the Waypoint project.

2. Run waypoint up -app database to create a PostgreSQL database.

3. Run make configure-db-creds to configure Vault database secrets engine.

4. Run waypoint up -app products to create the products API.

5. Run waypoint up -app public to create the public API endpoint.

6. Run waypoint up -app frontend to create the demo application frontend. Access the URL output by Waypoint.

After you deploy, you will be able to access the deployment URL for the frontend service and examine a product catalog for the coffee shop.

• The module for Boundary is based on the Boundary AWS Reference Architecture with slight modifications.

• The demo application comes from the HashiCorp Demo Application.